We have discovered that the nt!NtQuerySystemInformation system call invoked with the SystemPageFileInformation (0x12) and SystemPageFileInformationEx (0x90) information classes discloses uninitialized kernel stack memory to user-mode clients. The vulnerability affects 64-bit versions of Windows 7 to 10. Based on the contents of the output structure returned by the kernel, we have concluded that it contains a nested UNICODE_STRING structure at offset 0x10, which has the following definition: typedef struct _LSA_UNICODE_STRING { USHORT Length; USHORT MaximumLength; PWSTR Buffer; } UNICODE_STRING, *PUNICODE_STRING; On x64 builds, the compiler introduces 4 bytes of padding between the 'MaximumLength' and 'Buffer' fields, in order to align the 'Buffer' pointer to an 8-byte boundary. It seems that these padding bytes are never initialized in the kernel's local copy of the structure, and so they are returned to the user-mode caller in this form.
Sending arbitrary unexpected string to TCP port 7100 with respect to a certain time sequence not only disconnects all clients but also results in a crash of this hardware device.
The string of the 'channel_name' and 'platform' parameter transmission is completely without check and filter,so if the string is passed, it will lead to the existence of SQL injection vulnerability,This could result in full information disclosure.
This is a poc code for exploiting CVE-2018-0886. It relies on a fork of the rdpy project, allowing also credssp relay.
This exploit takes a path to write to (the file must already exist) and rewrites its first bytes to /*/x. This means that if it's a shell script, it will execute /tmp/x as its first and only command. To gain root access, the idea is to use the exploit to overwrite any file in /etc/profile.d/ so it will execute /*/x on the next login, possibly as the root user.
This exploit is a buffer overflow vulnerability in the Smart Install Client. It sends a malicious packet containing a header and two TLV (Type-Length-Value) fields. The first TLV field contains a payload of 'BBBB' repeated 44 times, and the second TLV field contains a shellcode of 'D' repeated 2048 times. The header contains a data length field which is set to the length of the payload and shellcode plus 40 bytes. This causes the buffer to overflow, allowing the attacker to execute arbitrary code on the target system.
Drupalgeddon2 is a remote code execution vulnerability in Drupal versions 8.5.0, 8.4.5, 8.3.8 and 7.23 to 7.57. It allows an attacker to execute arbitrary code on the target system by sending a specially crafted request to the target system.
This exploit is a proof-of-concept for CVE-2018-7600, a vulnerability in Drupal 7.x and 8.x. It allows an attacker to execute arbitrary code on the target system by sending a specially crafted request to the target server. The exploit works by sending a POST request to the target server with a specially crafted payload. The payload contains a command to execute arbitrary code, which is then executed on the target system.
Custom Forms version 2.0.3 is affected by the vulnerability Remote Command Execution using CSV Injection. This allows a public user to inject commands as a part of form fields and when a user with higher privilege exports the form data in CSV opens the file on their machine, the command is executed.
WordPress File Upload is a WordPress plugin with more than 20.000 active installations. Version 4.3.3 (and possibly previous versions) are affected by a Stored XSS vulnerability in the admin panel, related to the 'Edit_Setting' functionality.
Services By CQR